If you had say 10 or 20 users on the 1Gbps plan or even 100-200 users on the 200mbps plan and they had misconfigured routers (consider they could do 200mbps upload) opening them up to the likes of DNS amplifications etc.
There seems to be a shift to ISP-provided routers which will make this temporarily less common most likely. Although IPV6 is another possible vector.
Now those users are maxing out the upload capacity of the handover, you have no ability to QoS the malicious users as the QoS would need to come before hitting the handover, I.e. On the CPE.
Disconnect the user.
Suddenly everyone on the handover is impacted from a handful of users that wanted the faster speed just because it was available and affordable.
Same as any DDOS really. The cheap availability of gigabit dedicated servers etc makes it easier to DDOS with high volumes of traffic.
The DNS amplifications that hurt Spark for a whole weekend, I can only assume was caused by such a large amount of affected devices filling up the handovers and also because it was targeted at their DNS. Imagine an attack of that magnitude, 10s of thousands of end users on 200 or even 100mbps circuits filling up a 10gig or even at this point a 80gbps handover LAG.
Didn't that mostly hurt their DNS servers? Maybe their DNS servers were not overprovisioned enough. Maybe there was something silly like state, or it was going to servers that were timing out and tying up resources too much. That Cloudflare blog had something about a South American ISP advertising to be Cloudflare IP's and overloading transit in South America in general. (I imagine not all of it ..) But whenever there was oversubscibed shared links these things can happen.
When you talk about regional handovers up and down the country then the problem gets worse as you then obviously need to backhaul that capacity to Auckland before getting out to the internet, so this also has to be considered too.
Any thoughts on the matter.
Block UDP! The internet is just Facebook and Google. I think at the moment things are reasonably safe as with things like DNS and SNMP amplification attacks you can block the incoming traffic and it'll stop sending out again. It could get more complicated if malicious people were smarter about these things. Which doesn't seem to be happening quickly at least. I think in a way you can't plan for whatever may happen, and you just have to look at it from the point of view of fixing it. And often that means disconnecting the users if you can't stop the traffic with a port block. I'm actually surprised that there hasn't been more "real" traffic, like real http requests to popular web sites that look like normal requests (ie they play back normal browsing type sessions they've captured from somewhere else, or pretend to be a browser) or so forth making it harder to block. My biggest concern ATM over DDOS, is when IPV6 starts becoming widely used - a lot of people use NAT as a firewall, and when they implement IPV6 don't protect their hosts properly. And there's a bit of tie in between people wanting new faster connections and wanting to enable IPV6. Ben.